4

I have created a simple REST api for my application using node/ express. I am using AngularJS on the front end to serve pages to the user.

I would like to add functionality such that the API can only be accessed via my front-end and anyone should not be able to do a GET/POST request to my site and get the data?

What strategies can I use to achieve this?

dopplesoldner
  • 8,891
  • 12
  • 44
  • 55

1 Answers1

1

HTTP request can be formatted and sent to sever by many other means beside a browser (curl for example), so any server always detecting correct source of a request is not guaranteed.

The basic method to protect an endpoint would be to use some kind of authentication. The requesting client must present something uniquely identifying it. API should provide clients a token after it proves itself authentic (via login etc), and all subsequent requests would be checked for this token.

S.D.
  • 29,290
  • 3
  • 79
  • 130
  • If my client is a web application written in AngularJS, anyone can view the source and the token, how can I go around that? Sorry if my questions are amateurish. – dopplesoldner Apr 30 '14 at 17:30
  • @dopplesoldner That's why you encrypt it and store it in session storage of one user's browser. – S.D. Apr 30 '14 at 18:12